2016 saw cybersecurity become a national issue, reportedly affecting the U.S. presidential election, and impacting businesses and devices Americans have come to rely on.
IBM X-Force researchers monitor 35 billion security events per day for over 4,500 companies in 133 countries. In this endeavor, they have found that among the many aspects of cybercrime threats and their detrimental effect on consumers and businesses, a few key threats emerged in 2016 and are not likely to subside in 2017:
- Ransomware and digital extortion schemes;
- The weaponization of IoT devices; and
- The critical need for adequate response to data breaches.
Ransomware Likely to Continue Driving Illicit Profits for Cybercriminals
Ransomware, which is malware that encrypts digital data and holds it until the owner pays a ransom, has become a significantly effective security threat in 2016, since proving that people are motivated to pay to recover their data. In the past 12 months, cybercriminals have hit hospitals, educational institutions, police departments, utilities, and other critical infrastructure by using ransomware. In most cases, the affected organization paid the ransom.
Tallying losses for both businesses and consumers paints a grim picture for 2016. In the first 3 months of 2016, more than $209 million in ransomware payments was paid in the U.S. Compared to 2015, that’s a dramatic 771 percent increase from a reported $24 million for all of 2015. This puts ransomware on pace to become a $1 billion market for cybercriminals in 2016. The FBI urged victims to report any attacks so the agency can gain a more comprehensive view of the threat and its impact . With no end in sight, 2017 may be another record year for attackers spreading ransomware.
To shed more light on the factors that drive consumers and businesses to pay to recover data, IBM Security fielded a ransomware survey that revealed an alarming state of affairs. The survey, which tallied responses from both individuals and business executives from different sized enterprises, showed an overall lack of awareness and preparedness in the face of the rising risk of ransomware attacks.
According to the IBM survey, only one-third (31 percent) of consumers have actually heard of ransomware. That lack of awareness may shed light on why little or no action has been taken to protect devices and data: More than half the consumers interviewed do not take any proactive measures to protect themselves from this type of malware, yet they had high levels of confidence in their ability to protect personal devices.
On the enterprise side, the IBM survey found that most employees are unaware of what ransomware is or how it can affect their company. When asked if they know what ransomware is, responses from business executives highlighted that knowledge about ransomware depends on business size and previous experience with similar attacks. Unsurprisingly, the survey also revealed that small and midsize businesses (SMBs) are less prepared than larger businesses.
Read the X-Force Report: Ransomware — How Consumers and Businesses Value Their Data
Escalating Weaponization of the Internet of Things
The Internet of Things (IoT) is the emerging third wave in the development of the internet. According to Gartner, 5.5 million devices go online every day, and 1 million new IoT devices will be sold every hour by 2021. Counting all connected devices, both consumer and industrial grade, the IHS predicted that the IoT market will grow to 30.7 billion devices in 2020 and 75.4 billion in 2025 — far exceeding the number of humans on earth.
The growth and explosive adoption of IoT in personal gadgets, home electronics, and medical and industrial applications has opened a wide door into the crime-ridden neighborhood that is the internet. In this hostile ground, where attackers already possess high levels of technical skills and malicious tools, IoT devices are often completely exposed to cybercrime threats. They are readily exploitable to malicious actors with relative ease and at scale.
Using IoT devices as botnet members to flood targeted online resources is not new. What is new is the weaponization of mass amounts of IoT devices by actors using malware to automate controlling them and then launching massive distributed denial-of-service (DDoS) attacks. With most devices using default or hardcoded passwords, their security is nonexistent in the face of the simplest brute-force attacks, and the outcome has been destructive.
The first wave of weaponized IoT attacks, which leveraged the Mirai malware to infect devices and force them to direct internet traffic to a given target, started in September 2016. At that time, a large telecommunications provider in France was hit by the botnet in a 620 Gbps DDoS attack. Next, a popular security researcher saw the Mirai malware leveraged against IoT devices to trample his website in one of the “biggest assaults the internet ever witnessed.”
In October 2016, Mirai hit again, this time causing Internet outages across the U.S. when its army of hijacked connected devices hit a major DNS service. In late November 2016 a German telecommunications provider suffered its own attack via infected routers.
These cases gave Mirai and copycat BashLite some real-world results that proved beyond a doubt that IoT threats are not baseless: They have already crossed the line into weaponization. The time to act is quickly running out.
Mirai’s favorite flavors are consumers’ IoT devices such as Wi-Fi cameras, smart thermostats, modems, routers, CCTVs and DVRs. Unfortunately, IBM Security has found that only 10 percent of consumers think it’s important to protect home devices. With little to no motivation for better security on the manufacturer’s end, few regulations and a lack of consumer demand for security, 2017 will see a new norm in the generation of IoT DDoS attacks.
Making matters worse, and reminiscent of historical cases where malware source code was intentionally leaked on the Internet, Mirai’s creator leaked its code on a hacking-related discussion board, ultimately unleashing it in the wild where other attackers can pick it up and use it in their own botnets.
Response to Data Breaches to Further Impact Consumers
In 2016, a historic 2.1 billion records were stolen by cybercriminals, including huge heists that affected the users of Yahoo!, LinkedIn and MySpace, to name a few. When organizations of this size are breached and up to 1 billion customer records find their way into the hands of cybercriminals, the long-terms effects of an attack are unexpected and hard to predict.
Businesses who fall prey to targeted attacks and breaches are having difficulty detecting them closer to real time. Ponemon Institute research found that it takes companies an average of 201 days to find out about a breach, extending the window of opportunity during which attackers covertly reside in the breached systems and harvest more data. The more data stolen, the more customers are likely to be affected by the time the breach is discovered, resulting in regulatory fines as well as customer turnover, diminished goodwill and brand loss.
Often, response after breach discovery is slow because 75 percent of companies don’t have formal incident response plans in place. But attacks don’t have to be as destructive and drawn out as they typically turn out to be. Breaches contained within a month cost $1 million less than those contained in more than 30 days. Moreover, the Ponemon study found that the majority of breach costs were related to response activities that must take place after a breach is discovered. These costs can be cut back as much as $400,000 when an adequate plan is in place.
To minimize customer exposure, organizations can plan how to respond to cyberattacks. Making the response more effective and efficient can resolve breaches faster, further reducing impact at a time where costs of handling an attack can easily exceed the initial damage.
Above All: Incident Response and Management Can Minimize Cybercrime Threats
Cyberthreats are going to continue escalating next year. What stands true, beyond the intricacy of each threat category, is that incident response — whether on a personal, consumer or enterprise level — can considerably reduce the impact of any attack. The response plan that people and organizations have in place, along with the organized way every aspect is tackled, is what will eventually dial back the impact and monetary losses for organizations.
Wishing us all a secure 2017!
Principal Consultant, X-Force Cyber Crisis Management, IBM